Posted
by
kdawsonon Friday March 06, 2009 @09:29AM
from the art-of-the-blacklist dept.

krou writes "The BBC is reporting that the Information Commissioner's Office has shut down a company in the UK for a serious breach of the Data Protection Act. It claims that the company, The Consulting Association in Droitwich, Worcs, ran a secret system that it repeatedly denied existed for 15 years, selling workers' confidential data, including union activities, to building firms, allowing potential employers to unlawfully vet job applicants. About 3,213 workers were in the database, and other information included data on personal relationships, political affiliations, and employment histories. More than 40 firms are believed to have used the service, paying a £3,000 annual fee, and each of them will be investigated, too." The article says that The Consulting Association faces a £5,000 fine — after pulling in £1.8 million over 15 years with its illegal blacklist.

Actually, it can get a lot worse for them, they can be forced to stop all data exports for a long investigation time. I was on a project receiving data for a rather large global company (who is making the news quite regularly these days) from all European markets as part of a pan Europe system. The data itself was nothing special, the company owned it in each market and was merely transferring it around within, yet one country data protection overlords somehow found protocol wasn't precisely being followed.

Well, it was. This is an old school method...currently being replaced by just scanning the internet in general, target searching on Facebook and the like.

As much as the old music industry is hurting with online distribution, so will services like this due to this kind of information being out there for free.

I concur, I limit the amount of info on my social sites. It's neither safe nor is it ethical some of the practices or conclusions that these create. Does it really matter that someone dressed up on Halloween like a pirate, does that make them a software pirate? But that is what some dumb folk will say if they look on a facebook page of wacky drunkeness.

ok I am blaming the stupid here and....

oh wait thats ok. If they have no clue I wouldn't work for them anyway. If you have to rely on someone else to tell y

OK, 3,213 employees(and former employees, one would think) in the database. Forty firms are paying £3,000 on a yearly basis for information on that tiny little group... How often do those 3,213 people apply for new jobs?

It's kind of hard to say "continue, please" louder than by slapping such an enormous fine.

What are the odds of the employers who illegally used said database being fined or punished in some way? Punish the people who used the database and you'll find that the next time someone offers up illegal information for sale they'll have a much harder time finding customers.

If it's the same small statutory fine, they could just pay it and keep going. It's not like this data is a product they're selling, this data is just a small HR cost with potentially large abusive rewards.

This is a fundamentally different scenario. Johns/small-time pot smokers commit victimless crimes. The firms in this case are knowingly violating the privacy of each of these 3,000-plus workers. It would be more like prosecuting someone who attempts to hire a hitman.

The penalty does apply per incidence. There is once incidence. The prosecution is for failing to register the company with the data protection office, not for selling the data. And the summary also appears to be wrong to say that the DCO has closed down the company; all the report says is that it has already ceased trading.

Most people working in the construction industry do not have a Facebook account. Most probably do not have a MySpace account either. They also probably don't have a lot of access to legal options either.

Most people working in the construction industry do not have a Facebook account. Most probably do not have a MySpace account either. They also probably don't have a lot of access to legal options either.

That's the infuriating aspect of this for some of us in the infosec world. This wasn't "selling private data", it was a good old-fashioned blacklist of "troublesome" employees who did annoying things like joining unions, complaining about health and safety violations (construction's very dangerous in the UK, I think it's ~100 deaths a year, and you can work out the ratio of deaths to maimings and career-ending injuries.) What they did was vile and evil, and the companies (huge mainstream FTSE-listed corporations, mostly) should be taken to the fucking cleaners as a clear sign that this sort of thing is illegal for good reasons, and will not be tolerated. However it's got FA to do with "leaking of personal data"; the headlines here, on the Beeb and even El Reg have been totally misleading.

Chances are, sharing this type of data would break various laws in the US, including those protecting workers' rights to unionize and whistleblower protection laws.

Individual workers could also sue the company for providing information that was prejudicial against them to prospective employers. When I was a manager, we couldn't even say *good* things about previous employees; if we got a call from a prospective employer checking an applicant's previous employment, all we could do was confirm (or fail to co

I agree with you totally pmarini. Unfortunately this is just the proverbial iceberg tip, with much more still hidden. These are corporations whose activities the last few decades since Reagan have centered on removal of restrictions, merging of interests with national law, and abolition through demonization of unions.

Hell, I've got karma to burn so with a -1 Troll mod, let's add a -1 offtopic, b/c the kosdot mods don't have a -1 disagree option. Seriously google jobs bank uaw if you don't believe my claim of sweetheart deals. Next google merit pay teachers to see how that union is making reform difficult.

I think the mods' problem with you is your erroneous extrapolation of a couple of (admittedly important) problems with particular unions to the conclusion that all unions are evil and must be destroyed wherever they are found.

Even if they agreed to a background check, they probably didn't agree to be checked for activities that aren't in any way illegal or reflecting on job performance, such as (FTFA) "ex-shop steward" or "Irish ex-Army".

In this case it's not the checking of the employees that is the focus of attention (it says the companies using the service were written to and warned), but the building of the database. The employee's details were not allowed to be shared in such a way without their permission, and the company wasn't registered to even create such a database. Certain details (such as records of them reporting safety breaches, union membership etc) would be of debatable legality in any database of that tye.

This decision establishes that The Consulting Association's actions were illegal. In the US, The Consulting Association would now be the target of lawsuits from workers affected by those illegal actions. I'm not quite sure if it's the same deal in the UK.

This decision establishes that The Consulting Association's actions were illegal.

No it doesn't. That won't be established until the court rules on it, and it hasn't come to court yet.

In the US, The Consulting Association would now be the target of lawsuits from workers affected by those illegal actions. I'm not quite sure if it's the same deal in the UK.

Not yet, because it's not yet established that the actions were illegal. Even if the ruling goes the way everybody here assumes it already has, all it will establish is that the data was being sold by a company not properly registered with the DCO, not whether the selling of the data is itself illegal. Indeed, it seems it isn't, because (from the RA) 'A spokesman for the Department for Business said it did

Does your government sell information about your political activities etc to a cabal of semi-criminals? No? Well, there you have your answer, then.

Just because you have an ingrown bias that tells that "Everthing the government does is evil, and everything a private business does is sort of OK, even if it is criminal" doesn't mean that it makes sense. You would probably benefit from taking off your blinkers once in a while.

This blacklist was specifically for the construction industry - for those who haven't RTFA. The terrible thing is that this list, and its sale for money, has been around for years and years. It's the industry's dirty little secret. It's only now they've computerised the records that they can use the Data Protection Act to prosecute. Sadly, I have no doubt that the information will live on somehow. All the major players have fingers in the pie and won't give it up, I think.

The Data protection act has been around for about 10 years already in the UK, and from what I can understand, the electronic database has been around for 15 years. They didn't recently digitize it. Of course, before then, it's anybody's guess, but these guys could have been prosecuted 10 years ago.

It's only now they've computerised the records that they can use the Data Protection Act to prosecute.

That's not true. The DPA covers "information which... (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system", where "relevant filing system" is defined as "any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible."

So, I wonder what the odds are that potential claimants will be pushed into the delightful catch-22 of "Oh, sure, if you were on the secret list you would be entitled to redress; but secret list is secret, so how are you going to prove that?"

Yeah, not going to be too easy, but at least they're taking it seriously and offering help. According to news on the ICO's website [ico.gov.uk], "From 16 March the ICO will operate a dedicated enquiry system for people who believe personal information about them may be held on the database. Members of the public are advised not to contact the ICO until 16 March."

Just to point out that the original BBC article (when I submitted the story to/.) had a quote from the notes in the illegal database stating that someone was a member of the Communist Party, hence why I mentioned it contained political affiliations. Not sure why the BBC removed this, but just thought I'd mention it in case someone wonders why.

British Employers are paranoid that potential employees are Communists or worse. They subscribe to a secret blacklist that potentials have no knowledge of or ability to refute allegations. Anyone blacklisted will not be employed, but the work still needs to be done.

So they draft in cheap labor from countries that didn't even exist twenty years ago. As these migrant workers aren't on the blacklist, they get cherry picked for work that local labor should have the same rights to apply for. The end result being the rise of local unemployment through no fault of the workers.

Foreign workers tend to show up on time and do the job without whining. I'd take half a dozen random Poles over half a dozen random Brits any day. Why British people are so convinced they deserve a job in front of people who work harder and for less than they do is a source of constant mystery to me.

Translation: I'd prefer to employ illegal immigrants because if they complain about dangerous working conditions or being paid less than minimum wage, I can just have them deported rather than doing something about the problem.

Actually, the economy's fucked because we don't actually make things any more. The trend since the eighties has been for Britain to turn into one big bank. We don't make things - we finance other people to make things, and take a cut of the proceeds. Or rather, we sell their debts on to get the cash up front now and let someone else hold that risk. Or, even more profitably, we wait for someone else to finance yet another someone else to make things, we buy the debt, repackage it, and sell it on to the emplo

British Employers are paranoid that potential employees are Communists or worse.

I think you're extrapolating USA anti-communist paranoia to the UK. Trade unions are fairly mainstream - heck, the current ruling party originated as the political arm of the trades unions and they rarely talk about deposing the Queen and hoisting the red flag over London these days (Mind you, the Labour Party and the unions aren't quite as pally these days - the unions having discovered that, whoever you vote for, the Government always gets in). However, union activists might be awkward about pay and condi

The database itself isn't illegal. What's illegal is not telling the subjects of its existence, not giving them the opportunity to have information contained in it corrected, and some of the recruitment decisions made on the basis of it.

Isn't there a solution proposed in many legal systems? Put oversimplified: "You cannot profit from the crime you committed"?

I.e. they would have to give back* the 1.8 million pounds PLUS the 5 thousand pound fine. More than likely they don't have that 1.8 million laying around somewhere, having spent much of it in time, so that'll be fun to pay back... that 5 thousand would look rather trivial in comparison. This extends to doing interviews, selling movie rights, etc. - all of it would go back into payin

Better than that. Fine them the average annual wage lost by the builders on their list, say Â£15,000 a year, times 3213 builders, times the number of years the list operated = Â£722,925,000 spread evenly across the data company and the customers that used them.

Let's say that I run a company and we are absolutely committed to never, ever hiring an "ex-shop steward". Let's assume there isn't a service on the Internet where I can look up people to determine if they were ever involved in union leadership.

What am I to do? Well, I could just hire people in an uninformed way and hope for the best. Right?

Wrong. I would (obviously) do whatever it takes to make sure that prospective employees are not and never have been union-affiliated. Sure, this might result in som

I would (obviously) do whatever it takes to make sure that prospective employees are not and never have been union-affiliated.

Then you would be acting unlawfully, here in the UK you have a right to be represented by a Union, not employing someone because of union related activities would be illegal in itself. Similarly, you can't refuse to employ someone if they refuse union membership (as seems to be the case over in the states judging by previous/. posts complaining about unions)

... how would anybody would ever know? you should know that in the UK you have the right to see all the documentation about how a company reached the decision to hire a certain person to fill a position when you are applying for that position.

If they can't prove they did it based on objective criteria they would be in deep shit...

as seems to be the case over in the states judging by previous/. posts complaining about unions

Most states aren't "union shop" states where the union can force everyone to join or quit. Several states don't even let unions take your money if you're not a member (some states let the unions take a "negotiation fee" from non-members).

Here in the UK the unions have no rights at all over people who are non-members. The Unions in the UK were emasculated by Margret Thatcher, ironically I think that they are better organisations for it.